Our common attack types and characteristics and methods
Attack characteristics are specific fingerprints of an attack. Intrusion detection system and network scanner are based on these characteristics to identify and prevent attacks. The following is a brief review of some of the methods that specifically attack infiltration networks and hosts.
Common methods of attack
You may know a number of common attack methods, some of which are listed below:
· Dictionary attack: Hackers use some automated programs to guess user life and password, audit such attacks usually need to do a comprehensive logging and intrusion detection system (IDS).
· Man-in-the-middle attacks: Hackers sniff passwords and information from legitimate transmissions. An effective way to prevent this type of attack is to apply strong encryption.
· Hijacking attack: A third party (hacker) invades when the two sides are in session, the hacker black out one side, and impersonate him to continue the conversation with the other party. Although not a complete solution, a strong authentication method will help protect against this attack.
· Virus attack: A virus is a small program that can reproduce and propagate itself, consuming system resources. During the audit process, you should install the latest anti-virus programs and educate users about anti-virus.
· Illegal service: Illegal service is any process or service that runs on your operating system without consent. You will learn this kind of attack in the next lesson.
· Denial of Service Attacks: use of various programs (including viruses and packet generators) to crash or consume bandwidth.
The target of being vulnerable to attack
The most common targets for attacks include routers, databases, Web and FTP servers, and protocol-related services such as DNS, WINS, and SMB. This lesson will discuss these common targets that are under attack.
Router
The routers connected to the public network are often the object of attack because they are exposed. Many routers are a potential problem for easy management using SNMP protocols, especially SNMPV1. Many network administrators do not close or encrypt Telnet sessions, and if the password transmitted in plaintext is intercepted, the hacker can reconfigure the router, which includes shutting down the interface, reconfiguring the route hop count, and so on. Physical security is also worth considering. You must ensure that routers cannot be physically contacted by outsiders for terminal sessions.
Filter Telnet
To avoid unauthorized router access, you should use a firewall to filter out telnet and snmp[161,162 ports on the router's extranet
Technical tip: Many network administrators are accustomed to banning the Telnet service after the router is configured, because routers do not require too much maintenance work. If additional configuration is required, you can establish a physical connection.
Routers and bandwidth-consuming attacks
Recent attacks on e-commerce sites such as Yahoo and E-bay show the importance of rapidly reconfiguring routers. These attacks were initiated by the following distributed denial of service attack tools:
· Tribal Flood Network (TFN)
· Tribal Flood Network (TFN2K)
· Stacheldraht (a variant of TFN)
· Trinoo (The earliest known of this type of attack tool)
Because many companies are serviced by ISPs, they do not have direct access to routers. When you audit the system, ensure that the network reflects the speed of such bandwidth-consuming attacks. You'll learn how to use routers to guard against denial of service attacks in a later lesson.
Database
What hackers want most is a database of companies or departments. It is now common for companies to store important data in relational or object-oriented databases, including:
· Employee data, such as personal information and salary.
· Market and sales.
· Important research and development information.
· Cargo situation.
Hackers can identify and attack databases. Each type of database has its characteristics. If SQL Server uses port 1433/1434, you should ensure that the firewall is able to protect the database. You will find that few sites apply this protection, especially within the network.
Server security
Both Web and FTP servers are typically placed in the DMZ and are not fully protected by firewalls and are therefore particularly vulnerable to attack. Common problems with Web and FTP services include:
· The user sends unencrypted information through the public network;
· There are well-known vulnerabilities in operating systems and services that cause denial of service attacks or damage to systems;
· The old operating system with root privileges initially run the service, once the hacker destroyed, the intruder can run arbitrary code in the resulting command interpreter.
Web page Alteration
Recently, there has been an increasing number of unauthorized attacks on the Web server and tampering with the default home page. Many businesses, governments and companies have been subjected to similar attacks. Sometimes such attacks are for political purposes. In most cases, the alteration of the Web page means there is a vulnerability to this intrusion. These attacks typically include man-in-the-middle attacks (using packet sniffers) and buffer overflows. In some cases, hijacking attacks and denial of service attacks are included.
Mail Service
Widely used SMTP, POP3, and IMAP generally communicate in plaintext. This service can be validated by encryption but is not efficient for communication in practical applications. And because most people use the same password for a variety of services, an attacker can use the sniffer to get a username and password and exploit it to attack other resources, such as a Windows NT Server. This attack is not just for NT systems. Many different services share user names and passwords. You already know that a weak link can disrupt the entire network. FTP and SMTP services are often the weakest link.
Issues related to mail services include:
· Using dictionaries and brute force to attack POP3 's login shell;
· Buffer overflows and other vulnerabilities exist in some versions of SendMail;
· Use e-mail forwarding function to forward a lot of junk mail
Name Service
Attackers typically focus their attack on the DNS service. Because DNS uses UDP, and UDP connections are often filtered by a variety of firewall rules, many system administrators find it difficult to post a DNS server as a firewall. As a result, the DNS server is often exposed and makes it the target of an attack. DNS attacks include:
· Unauthorized zone transfers;
· DNS Poison, this attack is the hacker when the primary DNS server to the secondary DNS server for zone transfer, insert the wrong DNS information, once successful, the attacker can enable the secondary DNS server to provide the wrong name to the IP address of the resolution information;
· Denial of service attacks;
Some of the other name services will also be targeted for attack, as follows:
· WINS, "Coke" attacks the NT system without patches by denial of service attacks.
· SMB services (including Windows SMB and Samba for Unix) These services are vulnerable to man-in-the-middle attacks, and captured packets are cracked by programs like L0phtCrack.
· NFS and NIS services. These services are often subject to man-in-the-middle attacks.
When auditing a wide variety of services, consider upgrading the processes that provide these services.
Audit system Bugs
As security managers and auditors, you need to be aware of vulnerabilities and software that can be exploited by the operating system. Earlier versions of Microsoft IIS allowed users to run commands in the Address bar, which caused major security problems with IIS. In fact, the best way to fix a security vulnerability is to upgrade the relevant software. In order to do this, you must read extensively and communicate with other people who are engaged in security work so that you can keep up with the latest developments. These jobs will help you learn more about the specific problems on your operating system.
Although most vendors have released fixes for their product issues, you must fully understand what vulnerabilities are being filled. If the operating system or program is complex, these fixes may open up new vulnerabilities while patching up old problems. Therefore, you need to test before implementing the upgrade. These test tasks include verifying that it meets your needs in a quarantined network segment. Of course, it also needs to refer to trustworthy Web publications and expert opinions.
Audit trap door and Root Kit
Root Kit is a Trojan horse to replace the legitimate program. A Trap door is a bug on a system that produces unexpected results when executing a legitimate program. As with the older UNIX sendmail, when the debug command is executed, the user is allowed to execute script code with root privileges, and a user who receives strict permission control can easily add a user account.
Although root kits typically appear on UNIX systems, attackers can also place a backdoor in Windows NT through seemingly legitimate programs. Backdoor procedures like Netbus,backorifice and masters of Paradise allow attackers to penetrate and control the system. Trojans can be generated by these programs. If the attacker is cunning enough, he can make these Trojans avoid some virus detection programs, of course, with the latest updated virus detection program can still find their traces. When you audit your system, you can detect problems such as root kit by validating the analysis and scanning the open ports.
Audit denial of service attack
Windows NT is vulnerable to denial of service attacks, mainly because the operating system is more prevalent and not rigorously tested. The reason why attacks against NT services are so frequent can be summed up by the fact that there are many loopholes in the rapid development momentum. When auditing a Windows NT network, it must take time to verify that the system is able to withstand this attack. Patching is a workaround. Of course, it would be better if you could put the server under the protection of a firewall or apply an intrusion detection system. It's usually easy to hack into a UNIX operating system, mainly because it's designed for those tricks!
Audit and backdoor procedures
Typically, there are code vulnerabilities in the operating systems and programs running on the server. For example, a recent commercial web browser has found a number of security issues. Attackers often know these vulnerabilities and exploit them. As you already know, it exploits Windows NT vulnerabilities to allow attackers to know the default administrator account, even if the name of the account has changed. Redbutton The Backdoor (back door) also refers to an entry that is not recorded in the operating system or program. Program designers intend to leave a portal in the system or program to facilitate rapid product support. Unlike bugs, the backdoor is deliberately left by the designer. For example, programs like Quake and doom contain backdoor portals that allow unauthorized users to enter game-mounted systems. Although it appears that no system administrator will allow similar programs to be installed on a network server, this situation still occurs.
From the dangers of backdoor procedures, we can conclude that you should not trust any new services or procedures until you have first read the information and consulted your trusted colleagues. When you audit, take some time to carefully document any programs that you do not understand the origins and history of.